Network flow analysis

US 8,929,236 B2
Filed: 07/30/2012
Issued: 01/06/2015
Est. Priority Date: 07/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method for network flow analysis, comprising:

receiving sample packets from a stream of packets over a time interval from a network element;

aggregating the sample packets into a subclass of packets;

determining a sample pool size of the stream of packets in the time interval, a number of sample packets received over the time interval, and a number of sample packets aggregated into the subclass of packets;

calculating an effective sampling ratio (ESR) from the sample pool size of the stream of packets in the time interval and the number of sample packets received over the time interval;

comparing the calculated ESR to a [historical ESR]numerical value to determine if the calculated ESR is within a predetermined range of the [historical ESR]numerical value; and

calculating an extrapolated flow for the subclass of sample packets as a function of the calculated ESR and the number of sample packets aggregated into the subclass of packets when the calculated ESR is within the predetermined range of the [historical ESR]numerical value and calculating an extrapolated flow for the subclass of sample packets as a function of the [historical ESR]numerical value and the number of sample packets aggregated into the subclass of packets when the calculated ESR is outside the predetermined range of the [historical ESR]numerical value,wherein the numerical value is calculated as a function of a plurality of historical ESR values.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In an example network flow analysis, sample packets can be received from a stream of packets over a time interval from a network element. The sample packets can be aggregated into a subclass of packets. A sample pool size of the stream of packets in the time interval, a number of sample packets received over the time interval, and a number of sample packets aggregated into the subclass of packets can be determined. An effective sampling ratio (ESR) from the sample pool size of the stream of packets in the time interval and the number of sample packets received over the time interval can be calculated. An extrapolated flow for the subclass of sample packets can be calculated by multiplying the ESR by the number of sample packets aggregated into the subclass of packets.

8 Citations

15 Claims

1. A method for network flow analysis, comprising:
- receiving sample packets from a stream of packets over a time interval from a network element;
  
  aggregating the sample packets into a subclass of packets;
  
  determining a sample pool size of the stream of packets in the time interval, a number of sample packets received over the time interval, and a number of sample packets aggregated into the subclass of packets;
  
  calculating an effective sampling ratio (ESR) from the sample pool size of the stream of packets in the time interval and the number of sample packets received over the time interval;
  
  comparing the calculated ESR to a [historical ESR]numerical value to determine if the calculated ESR is within a predetermined range of the [historical ESR]numerical value; and
  
  calculating an extrapolated flow for the subclass of sample packets as a function of the calculated ESR and the number of sample packets aggregated into the subclass of packets when the calculated ESR is within the predetermined range of the [historical ESR]numerical value and calculating an extrapolated flow for the subclass of sample packets as a function of the [historical ESR]numerical value and the number of sample packets aggregated into the subclass of packets when the calculated ESR is outside the predetermined range of the [historical ESR]numerical value,wherein the numerical value is calculated as a function of a plurality of historical ESR values.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein the method includes determining whether the calculated ESR is an outlier versus a stored ESR.
  - 3. The method of claim 2, wherein the method includes using the calculated ESR to determine the extrapolated flow for the subclass of sample packets when the calculated ESR is not an outlier versus the stored ESR.
  - 4. The method of claim 1, wherein the method includes using a value for the calculated ESR based on a stored ESR to determine the extrapolated flow for the subclass of sample packets when the calculated ESR is an outlier versus the stored ESR.
  - 5. The method of claim 4, wherein the value for the calculated ESR based on the stored ESR is determined by taking a mean value of a plurality of stored ESRs.
  - 6. The method of claim 4, wherein the method includes:
    - calculating a mean of the stored ESR and the calculated ESR; and
      
      determining whether the calculated ESR is an outlier versus the stored ESR as a function of a difference of the calculated mean and the calculated ESR divided by a standard deviation of the stored ESR.
  - 7. The method of claim 1, wherein the method includes receiving sampling parameters associated with the sample packets that include at least one of a reporting interface associated with the sample packets, source and destination hosts, source and destination ports, protocols, type of service, and volume.
  - 8. The method of claim 1, wherein calculating the ESR from the sample pool size of the stream of packets in the time interval and the number of sample packets received over the time interval includes dividing a difference between a sample pool number of a first packet and a sample pool number of a last packet in the stream of packets in the time interval by the number of sample packets received over the time interval.

9. A non-transitory computer-readable medium storing instructions for network flow analysis executable by a computer to cause the computer to:
- receive a first set of sample packets from a stream of packets over a time interval from a network element;
  
  calculate an effective sampling ratio (ESR) by dividing a sample pool size of the stream of packets in the time interval by a total number of the first set of sample packets received from the stream of packets;
  
  calculate an outlier value for the calculated ESR by dividing the difference between a mean of a previously calculated ESR and the calculated ESR by a standard deviation of the previously calculated ESR;
  
  determine whether the calculated ESR is an outlier by comparing the outlier value for the calculated ESR to a pre-defined outlier value;
  
  determine whether to store the calculated ESR or the previously calculated ESR in an array of ESR values based on the comparison of the outlier value to the pre-defined outlier value; and
  
  calculate an extrapolated flow for the first set of sample packets as a function of the stored ESR and the total number of the first set of sample packets.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computer-readable medium of claim 9, wherein the instructions include instructions to:
    - calculate an ESR from a second set of sample packets from the stream of packets upon filling the array with ESR values; and
      
      determine whether the ESR calculated from the second set of sample packets is an outlier versus the ESR values in the array.
  - 11. The computer-readable medium of claim 10, wherein the instructions include instructions to:
    - calculate an outlier value for the ESR calculated from the second set of sample packets by dividing the difference between a mean of ESR values in the ESR array and the ESR calculated from the second set of sample packets by a standard deviation of the ESR values in the ESR array and the ESR calculated from the second set of sample packets; and
      
      determine whether the calculated ESR from the second set of sample packets is an outlier by comparing the outlier value for the calculated ESR from the second set of sample packets to the pre-defined outlier value.
  - 12. The computer-readable medium of claim 10, wherein the instructions include instructions to use the ESR calculated from the second set of sample packets to determine an extrapolated flow for a subclass of the second set of sample packets when the ESR calculated from the second set of sample packets is not an outlier versus the ESR values in the array.
  - 13. The computer-readable medium of claim 10, wherein the instructions include instructions to use a value based on the ESR values in the array to determine an extrapolated flow for a subclass of the second set of sample packets when the ESR calculated from the second set of sample packets is an outlier versus the ESR values in the array.

14. A system for network flow analysis, the system comprising a processor in communication with a non-transitory computer-readable medium, wherein the computer-readable medium contains a set of instructions and wherein the processor is configured to carry out the set of instructions to:
- receive sample packets from a stream of packets over a time interval from a network element;
  
  aggregate the sample packets into a subclass of packets;
  
  calculate an effective sampling ratio (ESR) by dividing a sample pool size of the stream of packets in the time interval by a total number of sample packets received from the stream of packets;
  
  determine whether the calculated ESR is an outlier versus a stored array of ESR values by comparing the calculated ESR to at least one of the stored ESR values; and
  
  calculate an extrapolated flow for the subclass of packets by multiplying the calculated ESR by the number of sample packets aggregated into the subclass of packets when the calculated ESR is determined to not be an outlier versus the stored array of ESR values and calculate an extrapolated flow for the subclass of sample packets by multiplying the at least one of the stored ESR values and the number of sample packets aggregated into the subclass of packets when the calculated ESR is determined to be an outlier versus the stored array of ESR values.
- View Dependent Claims (15)
- - 15. The system of claim 14, wherein the stored array of ESR values is updated with the calculated ESR upon a determination that the calculated ESR is not an outlier versus the stored array of ESR values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Valtrus Innovations Limited (f/k/a Dolya Holdco 9 Limited) (Key Patent Innovations Limited)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Samik, Bhattacharya, Swapnesh, Banerjee
Primary Examiner(s)
Cheng, Peter

Application Number

US13/561,451
Publication Number

US 20140029452A1
Time in Patent Office

890 Days
Field of Search

370252-254
US Class Current

370/252
CPC Class Codes

H04L 43/024 by adaptive sampling

Network flow analysis

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Network flow analysis

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links